Cryptzone has published the results of its SharePoint Security Survey at SPTechCon in Boston. The survey undertaken amongst SharePoint practitioners at the Microsoft conference in Las Vegas, reveals how many organizations have inadequate security and governance measures in place to help prevent data misuse and loss from their SharePoint environments. Whether this is because managers naively still believe that SharePoint is not a repository for sensitive and confidential information or they have not got to grips with central management of sprawling SharePoint deployments is unclear.
40% of participants admitted that they, or people they know, have accessed information not intended for their consumption. While salary details topped the list for unauthorized access to sensitive content (46%), valuable data assets, such as insider information, M&A details and Intellectual property represented more than one third of contraventions, which should sound alarm bells in many a boardroom. “Data leaks of this nature are not just about non-compliance, but can affect the business results of the whole enterprise” says Einar Lindquist, CEO at Cryptzone.
More than half (55%) of those questioned had sent documents to someone without sufficient SharePoint permissions to access a document for themselves. Whether this behaviour is for legitimate business reasons or not, Cryptzone asserts that organizations should take note of the frequency with which data is being shared beyond the confines of SharePoint both to other employees and external collaborators. People are moving data around, so organizations need to deploy secure mechanisms to achieve this safely and be able to track flows of sensitive content, in order to uphold security and compliance standards.
Although the survey shows that the IT security awareness message is being heard, it is ignored by the majority. 76% of those surveyed know that by copying or sending sensitive content outside of SharePoint, information is more vulnerable to data breaches. Organizations are clearly finding it difficult to stop this kind of activity. With the continued dominance of email communication and the rise of file sharing sites, such as DropBox, Cryptzone considers there is an urgent need to put in place security tools that enable employees to work more responsibly, without hindering their productivity. While many respondents did not consider the documents they were sharing to be of a sensitive nature, over one third admitted that they were “Not bothered if it helps me get the job done”. It is therefore imperative that any security measures implemented have to be very easy to use or transparent to users. Perhaps more worryingly 28% did not consider protecting data part of their responsibility. Evidently raising levels of IT security awareness does not necessarily change behaviour and instil a sense of accountability.
“Many of the SharePoint environments our engineers come across have very little security, so people are at liberty to do almost what they please with the content they find,” states Einar Lindquist CEO at Cryptzone. “SharePoint sites may have escaped the intense scrutiny of auditors in the past, but that’s all changing. The CIOs and CISOs, who I am talking to, recognize that their SharePoint sites are unquestionably being used to store personal and commercially sensitive information that requires effective data protection.”
Other Survey Statistics
* IT Administrators continue to wield the power for managing access rights within SharePoint (77%)
* 59% do not trust document authors to control who reads the documents they create in SharePoint.
* 40% of participants admit that they, or people they know, have accessed information not intended for them.
* 58% are opening up access to external collaborators, but nearly 25% still don’t give third party access to SharePoint collaboration environments.
* All types of users are circumventing security policies, thereby increasing the risk of security incidents.
* SharePoint professionals do not trust content authors to appropriately manage access rights to SharePoint content.
* SharePoint IT professionals are frequently abusing access privileges to look at sensitive data without the knowledge of their employers.
* People have a genuine need to share information outside of the SharePoint environment for third party collaboration with customers, partners & other stakeholders.
* There is a need for tools that enable workers to take full advantage of the collaboration capabilities of SharePoint, yet enforce corporate policies on data protection and IT securit
SharePoint Security Recommendations
1 Ensure that encryption and access management stays with the document regardless of whether SharePoint content is moved, copied or changed in anyway.
2 Provide an integrated method for secure communication, which allows users to share SharePoint content appropriately within and outside the network, enabling productivity and data protection.
3 Establish rule based access rights management to automate SharePoint security controls, thereby avoiding errors that leave content vulnerable to data misuse.
4 Ensure a separation of duties, so that SharePoint administrators cannot circumvent security policies and cause an accidental or malicious breach.
5 Adopt a thorough approach to reporting all administrative actions and events involving sensitive SharePoint content, in order to spot security threats early and prevent the cover up of administrator abuses.